Results 1 to 5 of 5

Thread: Configuring Samba for local lan workgroup

  1. #1
    Join Date
    Jan 2013
    Location
    Glasgow. UK
    Posts
    13

    Default Configuring Samba for local lan workgroup

    Reading https://forums.opensuse.org/content....-Lan-Workgroup
    there is a section "Configure the Firewall for Samba"

    There it reads "Set your network services: Go To Yast ==> Security & users ==> Firewall ==> Allowed Services ==> set these allowed services: Netbios server, Samba client, Samba server."

    On a recent clean install of Opensuse leap 15.1 in "firewall configuration", the only services are "samba" and "samba-client". I guess "samba" == "Samba Server" but what is the equivalent of "Netbios server"?

    I ask because I am trying to use smbtree to browse my current network accessible samba shares (Linux and Windows). I have enabled both "samba" and "samba-client" on the zone "internal" to which my eth0 is allocated. If I have the firewall enabled and use "smbtree -b -d 3" I get:

    lp_load_ex: refreshing parameters
    Initialising global parameters
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Processing section "[global]"
    directory_create_or_exist_strict: invalid ownership on directory /var/lib/samba/lock/msg.lock
    cmdline_messaging_context: Unable to initialize messaging context.
    Unable to initialize messaging context
    lp_load_ex: refreshing parameters
    Initialising global parameters
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Processing section "[global]"
    added interface eth0 ip=192.168.111.88 bcast=192.168.111.255 netmask=255.255.255.0
    name_resolve_bcast: Attempting broadcast lookup for name __MSBROWSE__<0x1>

    i.e. NO shares showing.

    If I disable the firewall I get (too verbose with the - d 3) but showing all my shares.

    smbtree -b -d
    Unable to initialize messaging context
    WORKGROUP
    \\TIGRU tigru
    \\TIGRU\IPC$ IPC Service (tigru)
    \\TIGRU\home Home
    \\TIGRU\surveillance
    \\TIGRU\homes System default share
    \\TIGRU\gilliansfolder A place to keep non-photo-non-music junk
    \\TIGRU\raysfolder junk drop from all computers
    \\TIGRU\Network Recycle Bin 1 [RAID5 Disk Volume: Drive 1 2 3]
    \\TIGRU\Public System default share
    \\TIGRU\Usb System default share
    \\TIGRU\Web System default share
    \\TIGRU\Recordings System default share
    \\TIGRU\Download System default share
    \\TIGRU\Multimedia System default share
    \\SUKI Rays portable Windows
    \\LINUXTWO Samba 4.2.4-3.54.2-3638-SUSE-oS13.1-i386
    \\LINUXTWO\Officejet_Pro_8600 Officejet_Pro_8600
    \\LINUXTWO\Officejet_Pro_8600_fax Officejet_Pro_8600_fax
    \\LINUXTWO\IPC$ IPC Service (Samba 4.2.4-3.54.2-3638-SUSE-oS13.1-i386)
    \\LINUXTWO\rayshomel2 linuxtwo home for ray
    \\LINUXTWO\print$ Printer Drivers
    \\LINUXTWO\users All users
    \\LINUXTWO\profiles Network Profiles Service
    \\DECOBERTLOCAL Netbios-Arada 0.9.10
    \\CATS Samba 4.9.5-git.149.9593f64a5c3lp151.1.3-SUSE-oS
    \\CATS\IPC$ IPC Service (Samba 4.9.5-git.149.9593f64a5c3lp151.1.3-SUSE-oS15.0-x86_64)
    \\CATS\catsdl Downloads on cats
    \\CATS\print$ Printer Drivers
    \\CATS\groups All groups
    \\CATS\users All users
    \\CATS\profiles Network Profiles Service
    \\ANN-HP

    So, the firewall is interfering with smbtree activities on the network. If I turn on dropped packet logging I get a packet dropped every time I run smbtree (6 times shown below) with firewall enabled viz:

    Jul 14 12:04:16 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=44195 DF PROTO=UDP SPT=137 DPT=38345 LEN=70
    Jul 14 12:10:14 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=2470 DF PROTO=UDP SPT=137 DPT=48070 LEN=70
    Jul 14 12:13:11 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=3793 DF PROTO=UDP SPT=137 DPT=35594 LEN=70
    Jul 14 12:20:41 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=42352 DF PROTO=UDP SPT=137 DPT=58558 LEN=70
    Jul 14 12:33:22 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52327 DF PROTO=UDP SPT=137 DPT=59941 LEN=70
    Jul 14 12:54:15 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=40772 DF PROTO=UDP SPT=137 DPT=44976 LEN=70

    The destination ports vary a lot, the source is always 137 which is one of the smb ports. The destination is the computer "cats" (192.168.111.88) and the source is the master browser (and router). Cats is rejecting UDP messages from the master browser.
    How can I stop it dropping them? Is this related to "Netbios server" service that I cannot find to enable in the firewall? Obviously I could just turn off the firewall, but I would prefer not.

    Thankyou in advance for any help you can give.

  2. #2
    Join Date
    Jan 2013
    Location
    Glasgow. UK
    Posts
    13

    Default Re: Configuring Samba for local lan workgroup

    I think I might have found a culprit for this. Looking at the logs I see:

    cats kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

    Perhaps this means that the conntrack_netbios_ns helper has not been used. That is, the Opensuse developers have decided to turn off automatic helper assignment but have not included a firewall rule using CT target to load it.

    It exists in the system i.e. lsmod|grep netbios gives:

    nf_conntrack_netbios_ns 16384 2
    nf_conntrack_broadcast 16384 1 nf_conntrack_netbios_ns
    nf_conntrack 155648 11 nf_conntrack_ipv6,nf_conntrack_ipv4,nf_conntrack_broadcast,nf_conntrack_sane,nf_conntrack_netlink,nf_conntrack_netbios_ns,xt_CT,nf_nat_ipv6,xt_conntrack,nf_nat_ipv4,nf_nat

    I don't think I have the necessary knowledge to patch that into the firewall rules. I looked at https://home.regit.org/netfilter-en/...se-of-helpers/ but it is beyond my capability to translate that into what I do in an Opensuse GUI.
    Anybody any suggestions?

  3. #3
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,651

    Default Re: Configuring Samba for local lan workgroup

    Which fire wall? 15.1 has transitioned to firewald. If arrived via upgrades it may be possible you are still trying to use susefirewall.

  4. #4
    Join Date
    Jan 2013
    Location
    Glasgow. UK
    Posts
    13

    Default Re: Configuring Samba for local lan workgroup

    Hi Gogalthorp, I am pretty sure I am using firewalld. I only installed 15.1 from the distribution media a few days ago. I am trying to get it at least as good functionally as 42.3 was.

    Here is the output of "systemctl status firewalld":

    ● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
    Active: active (running) since Sun 2019-07-14 16:07:11 CEST; 1h 30min ago
    Docs: man:firewalld(1)
    Main PID: 28819 (firewalld)
    Tasks: 2 (limit: 4915)
    CGroup: /system.slice/firewalld.service
    └─28819 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

    I configured it using YAST under the heading of "firewall". However, it tells me nothing about which firewall is in use. Nor does it tell me just what rules are invoked when I enable "samba client".
    Therefore I installed firewall-config. There it shows exactly the same services as the YAST plugin but more options. There I can see helpers. It also tells me that the automatic helpers are off. I think I might try turning them on and seeing what happens.
    Thanks for your attention.

  5. #5
    Join Date
    Jan 2013
    Location
    Glasgow. UK
    Posts
    13

    Default Re: Configuring Samba for local lan workgroup

    Suspicions confirmed, when I used firewall-config to turn on the automatic helpers, the browse now works with the firewall on.

    Unfortunately, the YAST firewall module for firewalld has no such option. I guess that there is a file somewhere with the necessary configuration.

    It looks like the YAST firewall module has been "simplified" i.e. no longer much use.

    I may just make the helpers automatic permanently rather than try to get Opensuse 15.1 changed to work out of the box for samba browsing.
    I suspect that someone will have to make changes to the service "samba client" to add in CT rules. With the YAST module you cannot see what rules are added for this service although there are command line tools plus diff I suppose.

    I am not skilled enough in iptables to do that myself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •